+1 (855) 920-2583
Login

How to update a brand SSL certificate

Modified on: Tue, 20 Feb 2024 3:56 PM

Pre-requisites:

1. ssl certificate

2. ssl certificate private key



Pre-update:

1. Verify both ssl certificate and its private key:


    1.1 Check the ssl certificate


        #/> openssl x509 -in name_of_certificate_file.crt -text -noout


    1.2 Check the private key


        #/> openssl rsa -in name_of_private_key_file.key -check


    1.3 Check the ssl certificate and private key pairing. The checksum (mdf5) output has to be indentical.

        

        #/> openssl x509 -noout -modulus -in name_of_certificate_file.crt | openssl md5

        #/> openssl rsa -noout -modulus -in name_of_private_key_file.key | openssl md5


2. Rename both ssl certificate and private key to reflect its CN and validity year.

        

    Example:


    This certificate below has a CN = cp.example.com and validity year from 2023 to 2024.


    #/> openssl x509 -in new_ssl_certificate.crt -noout -subject -issuer -dates   

        subject=C = MY, ST = Kuala Lumpur, L = Kuala Lumpur, O = Example Organization, CN = cp.example.com

        issuer=C = US, O = DigiCert Inc, OU = www.digicert.com, CN = Thawte TLS RSA CA G1

        notBefore=Jun  9 00:00:00 2023 GMT

        notAfter=Jul  2 23:59:59 2024 GMT


    Rename the ssl certificate file name and its private key pair file name as below or to something equal:

    

    #/> mv new_ssl_certificate.crt cp_example_com_2023-2024.crt

    #/> mv new_ssl_certificate_private_key.key cp_example_com_2023-2024.key


    IF the ssl certificate is a wildcard certificate include the word 'wildcard' in the name of the file too.

    

    Example of a wildcard ssl certificate. Notice that the CN has a wildcard character '*' infront of the domain name. This certificate is allowed to secure multiple sub domain of cp.example.com.


        #/> openssl x509 -in new_ssl_certificate.crt -noout -subject -issuer -dates   

        subject=C = MY, ST = Kuala Lumpur, L = Kuala Lumpur, O = Example Organization, CN = *.cp.example.com

        issuer=C = US, O = DigiCert Inc, OU = www.digicert.com, CN = Thawte TLS RSA CA G1

        notBefore=Jun  9 00:00:00 2023 GMT

        notAfter=Jul  2 23:59:59 2024 GMT


Notes: This step can be skipped as there is an option to rename the file or provide description of the ssl certificate and its private key in the next step.


3. Upload both files to Provider Control Panel (PCP).


    At PCP go to My Profile > Personal Data > User Repository > Upload Item > In field Item type drop down menu, pick Certificates 

    (If step 2 was skipped at field Item name pick custom and name the file with a meaningful name) > 

    (OR If step 2 was skipped, provide meaningful description in the Item description field)

    At field Path click on Choose file > Choose the ssl certificate file > Click Submit.

    

    Repeat the same step to upload the private key but at field Item type pick Private keys.


    Once they are uploaded, both certificate and key are now available from the User repository and SSL Certificates.


4. Backup the current brand ssl certificate located in the UI nodes or brand-ui-cluster-ui pods:


     Location: /etc/pki/tls/certs/


5. Update brand with the certificates and private key from the User repository.

    

    At PCP go to System > Settings > Brands > Search for the brand that requires the ssl certificate update > click on the brand name > click on tab Certificate > Install New Certificate >

    Pick install from Repository > Next>>

    Pick the previously uploaded certificate > Next>>

    Pick the previously uploaded key > Finish.